In some cases, you may find that you need to regenerate the SSL certificates and security credentials (private and public keys) that are generated by PE's built-in certificate authority (CA). For example, you may have a Puppet master you need to move to a different network in your infrastructure, or you may find you need to regenerate all the certificates and security credentials in your infrastructure due to an unforeseen security vulnerability.

Regenerate certificates in PE: split installs

You can regenerate all certificates in a split PE deployment including the certificates and keys for the Puppet master, PuppetDB, console, and associated services.

Before you begin

You must be logged in as a root to make these changes.

In the following instructions, when <CERTNAME> is used, it refers to the agent's certname on each node. To find this value, run puppet config print certname before starting.

Regenerating your certificates will invalidate all existing authentication tokens. Once the regeneration process is complete, all PE users must generate new authentication tokens.

Regenerating your certificates involves the following tasks:

Back up certificate directories

(Optional) Delete and recreate the Puppet certificate authority (CA)

Regenerate the Puppet master, console, and PuppetDB certificates

Configure PE

Back up certificate directories

If something goes wrong during the regeneration process, you may need to restore these directories so your deployment can stay functional. However, if you needed to regenerate your certs for security reasons and couldn't, you should contact Puppet support as soon as you restore service so we can help you secure your site.

On the Puppet master, back up the following directories:

/etc/puppetlabs/puppet/ssl/

/etc/puppetlabs/orchestration-services/ssl

On the PuppetDB node, back up the following directories:

/etc/puppetlabs/puppet/ssl/

/etc/puppetlabs/puppetdb/ssl/

/opt/puppetlabs/server/data/postgresql/9.6/data/certs/

On the console, back up the following directories:

/etc/puppetlabs/puppet/ssl/

/opt/puppetlabs/server/data/console-services/certs/

(Optional) Delete and recreate the
master CA

If needed, you can delete and recreate the
Puppet CA before regenerating the rest of your monolithic certificates.

CAUTION: This is an optional step and is an meant for use in the event of a total compromise of your site, or some other unusual circumstance. This destroys the certificate authority and all other certificates.

Run the following commands on your master or CA server.

Delete the CA and clear all certs from your master: rm -rf /etc/puppetlabs/puppet/ssl/*

Regenerate the CA: puppet cert list -a

You should see this message: Notice: Signed certificate request for ca

Regenerate the Puppet master certificates

In this step, you'll create the certificates for the split Puppet master.

Update the configuration of PE

Note: Be sure to specify any DNS alt names you have in the pe_install::puppet_master_dnsaltnames array in /etc/puppetlabs/enterprise/conf.d/pe.conf. You can find the list of your current DNS alt names with puppet cert list <CERTNAME>. By default, PE uses puppet and puppet.domain.